CS TimeClock Access Control Specification TimeClock Access Control... · CS TimeClock Access Control Specification 4 4. ... Once you have your diagram, ... employee. However the payroll

CS TimeClock

Access Control Specification

Document Date: August 2013

Document Status: Version 1.2

Program Status:

Version 1. Implemented in CS TimeClocks version 1.15 and later.

Version 1.1. Implemented in CS TimeClocks version 1.16 and later.

Version 1.2. Implemented in CS TimeClocks version 2.04 and later.

© 2013 by CapeSoft Software

CS TimeClock Access Control Specification

2

Contents

1. Introduction .............................................................................................................................................. 3

2. Readers ..................................................................................................................................................... 3

3. Electronic Door Locks & Turnstiles ........................................................................................................... 3

4. Open-Door Feedback ................................................................................................................................ 4

5. Areas ......................................................................................................................................................... 4

6. Anti-Passback ............................................................................................................................................ 5

7.Pathing ....................................................................................................................................................... 6

8. Payroll Requirements ................................................................................................................................ 8

9. Access Rights ............................................................................................................................................. 9

10.Time Zones ............................................................................................................................................. 10

11. Locked Mode ......................................................................................................................................... 12

12. Errors ..................................................................................................................................................... 13

13. Adding a reader to a clock .................................................................................................................... 13

14. Relay Settings Table .............................................................................................................................. 15

15. Tables .................................................................................................................................................... 15

Document version history ........................................................................................................................... 16

Version 1.2. ............................................................................................................................................. 16


3

1. Introduction

The CS TimeClock range of clocks have a number of functions available to you that are helpful in limiting

access to your premises. You are free to use as many, or as few, of these features as you like.

Note: To implement Access Control effectively you will need to either make use of the CS

TimeClock Web Interface, or external PC software. Access Control functionality cannot be

managed exclusively from the keypad.

This document covers information useful to the owner of the clock, as well as additional technical

information aimed at programmers accessing the clock remotely.

2. Readers

Your clock can be configured with 2 readers, or with a single reader. Many of the Access Control

features are only effective if the clock is configured with 2 readers. For large sites, with many clocks

and/or many employees dual readers will dramatically reduce the incidence of incorrect clockings. Extra

readers are available if your clock only has 1 reader.

Some of the Access Control features are only useful when you have more than 1 clock. However, even

with one clock some of the Access Control features are useful.

3. Electronic Door Locks & Turnstiles

Although the clock offers advanced access control functionality, the effectiveness of the access control

depends largely on the physical mechanisms used to manage the people flow through the door.

The most effective form of people flow are turnstiles. These are electronically controlled, and only allow

a single person through them at a time.

A less effective approach, but still a useful one, is to use a door with an electronic lock. A valid swipe is

required to open the door, however an unknown number of people can use the door while it is open.

CS TimeClocks have up to 3 relays capable of driving external devices.

Note: The number of external devices supported by the clock is dependent on the clock model.

If you plan to use external locks, or turnstiles, make sure you select an appropriate clock model.


4

4. Open-Door Feedback

To prevent electronic doors from being propped open, a feedback mechanism has been built into the

clock. However this mechanism is not yet available for use.

Note: The number of doors that can be monitored by the clock is dependent on the clock model.

If you plan to monitor open doors, make sure you select an appropriate clock model.

5. Areas

The most fundamental concept around which all access control revolves is the concept of areas.

An area is a physical space bounded by one or more clocks. Even with a single clock there are always two

default areas defined (Inside, and Outside). As you add more clocks to your system it becomes possible

to divide Inside into two or more areas. As employees move from one area to another they may, or may

not, be required to clock.

Example: You have a clock on your main front door, and another on the cafeteria door. When

employees arrive for work they move into area “Office”. At lunch time they move from area

“Office” to area “Cafeteria”. They are now said to be IN the Cafeteria. After lunch they leave the

Cafeteria, and move back into the Office. At the end of the day they leave the Office and go

Outside.

If you are using access control then the first step you will need to do is draw a physical picture of your

site, and identify what distinct areas you wish to have. Remember that you need a clock at every

boundary between two areas. In our example above, if the cafeteria had 2 doors, then you would

require 2 clocks to form the boundary between the office and the cafeteria.

Don’t forget that “Outside” is always one area.

Once you have your diagram, you can assign an “In” area, and an “Out” area to each reader that you

have. While setting these the best questions to ask are “If the user swipes his card on this reader, which

area is he going in to? If he swipes his card on this reader which area is he leaving?”

If you have 2 readers on the clock, then each reader will have a firm answer to these questions. Not

surprisingly when you have 2 readers, the In and Out areas are usually opposite for the 2 readers.

If you only have 1 reader on the clock then the clock will “toggle” the direction, depending on the

employee’s current status. If he is already Out, then he’s coming In, if he’s already In, then he’s going


5

Out, and so on. Please note that some access control functionality is restricted on clocks with only 1

reader, because the clock does not know for sure whether the employee is coming or going.

Tip: When talking about IN and OUT it’s easy to confuse this with the Payroll status of the

employee. However the payroll status is completely independent of areas, and should be

mentally ignored when setting up the IN and OUT area for the clock.

Advanced:

A clock with a single reader could be set to a specific direction, rather than to toggle. You would use this

on a door that only allows employees to flow in one direction, or where they are required to clock IN to

an area, but not OUT of it.

Equally, a clock with 2 readers can set BOTH readers to IN or both to OUT. In this case 1 clock can

control 2 “one way” doors.

6. Anti-Passback

To activate Anti-passback for the clock;

1. Set the Area Restriction (CA) for the readers to 1.

2. Set the IN area for the readers.

3. Set the OUT area for the readers.

4. Make sure the otherdev table on all clocks is up to date.

ERROR TEXT = “Already in TO area”

Anti-passback is usually used in situations where a turnstile exists. If you do not have a mechanical limit

on the entrance then turning this feature on in the clock does have much of a “real” effect.

Anti-passback can be a useful feature, even if you only have a single clock.

The goal of anti-passback is to prevent an employee passing his card to another person, who is outside,

while the employee is inside, thus allowing another person to enter on the same card.


6

This feature only applies if the clock has 2 readers, an IN reader and an OUT reader. If the clock only has

1 reader, then the clock will automatically toggle the user’s direction so there’s no distinction between 2

people coming in, and 1 person coming in, and going out.

Each reader on the clock needs to have the IN area and OUT area for the reader set.

If the Reader is set as an IN reader, then the employee is always moving from OUT to IN when using the

reader. The rules for this reader therefore only apply when he is coming IN.

If the Reader is set as an OUT reader, then the employee is always moving from IN to OUT when using

the reader. The rules for this reader therefore only apply when he is going OUT.

If the Reader is set as a TOGGLE reader, then the rules apply the same in both directions.

To activate Anti-passback for the reader, set the Area Restriction (CA) for the reader to 1.

If the employee attempts to clock in, when they are already in, or out when they are already out, then

the error displayed will be Already in TO area. A clocking, type 52, will be created to log the attempt.

Programmers Note:

Tables:

Daughter:

ca1, ca2, ca3, caf1 is set to 1 for Anti-pass-back to be on.

in1, in2, in3, inf1 is the IN Area id for each reader on the clock.

out1, out2, out3, outf1 is the OUT Area id for each reader on the clock.

Area:

The Area table (id and description) should be populated with descriptions for

each area ID used in the daughter table

OtherDev:

If multiple clocks are used, then make sure the OtherDev table is populated

with the serial number, and IP address of the remote clocks.

7.Pathing

To activate Pathing for the reader;


7

1. Set the Area Restriction (CA) for the reader to 2.

2. Set the IN area for the reader.

3. Set the OUT area for the reader

4. Make sure the otherdev table on all clocks is up to date.

ERROR TEXT = “Not in FROM area”

Note: A good understanding of Areas is necessary before configuring a system for Pathing.

Pathing is the same as Anti-passback except an extra requirement is added. If pathing is on, the Anti-

pass-back effect is on as well. With pathing an employee is REQUIRED to be in the IN area before they

can clock to the OUT area, or they must be in the OUT area before they can go to the IN area.

Tip: For Anti-Passback the rule is “the employee must be anywhere but there” whereas with pathing the

rule is “he has to be here to go there”. Thus pathing is a more restrictive form of anti-passback.

Pathing is typically used to enforce a “path” through the site for the employee to clock at.

If you have only one clock, then there is no practical difference between anti-passback and pathing.

For example;

An employee should clock in at the gate, cross the courtyard, then clock in to his building. When

leaving he has to clock out of his building, and then clock out at the gate. So there are 3 areas

involved, Outside, the Courtyard, and the Building. When he arrives he goes from the Outside

area into the Courtyard area. He then goes from the Courtyard area into the Building area. If he

now forgets to clock out of the building, he will NOT be allowed to go through the gate. Pathing

says he can only go through the gate if he is in the Courtyard. Since he forgot to clock out the

building, he is not in the Courtyard, and hence he will not be allowed through the gate. He will

need to return to his building, clock out there, and then proceed to clock out the gate.

Pathing is most useful in the case where you have a mix of Access Control (only) clocks, and Access

Control/Payroll clocks. It ensures that the user has clocked out correctly at the Payroll clock before

leaving the site via an Access clock.

Each reader on the clock needs to have the IN area and OUT area for the reader set.

If the Reader is set as an IN reader, then the employee is always moving from OUT to IN when using the

reader. The rules for this reader therefore only apply when he is coming IN.


8

If the Reader is set as an OUT reader, then the employee is always moving from IN to OUT when using

the reader. The rules for this reader therefore only apply when he is going OUT.

If the Reader is set as a TOGGLE reader, then the rules apply the same in both directions.

TIP: Although pathing works with a single reader, humans make mistakes, and will forget to

clock from time to time. To minimize the problems caused by missed clockings, we strongly

recommend the use of two readers per clock (ie a distinct IN and OUT reader) where pathing is

activated.

To activate Pathing for the reader, set the Area Restriction (CA) for the reader to 2.

The error displayed on the clock when the employee is not in the right area is Not in FROM area. A

clocking, type 50, will be created to log the attempt.

Programmers Note:

Tables:

Daughter:

ca1, ca2, ca3, caf1 is set to 2 for Pathing to be on.



Area:


each area ID used in the daughter table.

OtherDev:

If multiple clocks are used, then make sure the OtherDev table is populated

with the serial number, and IP address of the remote clocks.

8. Payroll Requirements

If you have a mix of Payroll and Access Control clocks, then you can limit the use of a specific Access

Control clock, depending on the employee’s current Payroll status.

In other words you can require that an employee is clocked in before using an Access clock, or you can

require that the employee is clocked out before using an Access clock.


9

Example:

Each work area has a payroll clock. When the employee leaves the work area they are required

to clock out. Access Control clocks at the main gate, and cafeteria will deny the employee access

(OUT, and IN respectively) if they have not clocked out at their workstation. While it is possible

to make the Cafeteria, and Gate clocks automatically clock the employee out, there may be

physical distances involved that make it preferable for the employee to clock out at their

workstation.

Remember this setting is set on a per-reader basis. If you apply this feature at the main gate, you would

want to prevent people leaving if they have not clocked out, but you would not necessarily want to

prevent them entering if they are already clocked in. Thus the settings for the readers on any one clock

may be different to each other.

Programmers Note:

Tables:

Daughter:

pa1, pa2, pa3, paf1 is set to 1 if the employee must be IN, or to 2 if the

employee must be out.



Area:


each area ID used in the daughter table.

9. Access Rights

To activate Access Rights for the clock;

1. Optionally set the Default No Access setting to 1.

2. Optionally add specific employee/clock/access combinations.

ERROR TEXT = “Clock Not Authorized”


10

Access Rights determine if an employee is able to make use of a specific clock. Note that access rights

are set at the clock level (parent or child), not the reader level.

If no specific setting is entered for a specific employee/clock combination then the default setting for

this employee is used. If there is no default employee setting then the default setting for the clock is

used.

The error that will appear on the clock if the employee does not have access to this clock is Clock Not

Authorized. A clocking, type 54, will be created to log the attempt.

Programmers Note:

Tables:

Timezone

Contains the id, description, and times for a specific time zone set.

Empaccess

Links an employee, clock, and access right. The default setting for an employee

has serial set to zero. If no records for a specific employee/clock exist then the

employee default will apply. If no records for the employee exist, then the

clock default will apply. Multiple records for an employee/clock combination

are allowed.

Tip: If multiple records exist for the employee/clock combination,

because multiple time zones are in effect, then they should all have

their Access field set to the same value (either 1 for access, or 0 for no

access)

10.Time Zones

To activate Time Zones for the reader;

1. Create one or more Time Zone sets.

2. Set the Default Time Zone for the clock.

3. Optionally add specific employee/clock/timezone combinations.

4. Optionally set the Override Time Zone for the clock.

5. Optionally set the Time Zone On In Only setting.


11

ERROR TEXT = “Out Of Time Zone”

Time Zones allow you to limit the times when people can use the clock. For example you may decide

that a clock used to access the cafeteria can only be used between 10am and 4pm. A remote depot may

only be accessible during weekdays, from 6am to 6pm, and so on.

Note that time zones are set at the clock level, not the reader level.

On Each clock you can set Time zones can be enabled for IN and OUT clockings, or just for IN clockings.

A collection of time zones together is known as a Time Zone Set. For example, in a restaurant you may

want to limit access to the morning (10am to 1pm) for cleanup and prop work, followed by a no-clock

period followed by the times for evening service (say 6pm to 11pm). These two time zones together

would form a time zone set.

Each clock can be assigned a default time zone set. Employees without a specific time zone set for this

clock will use this default.

Employees can be assigned a time zone set for a particular clock. If assigned to an employee this setting

will override the default time zone set completely. Ie they are exclusive in nature not inclusive.

An override time zone set can be set for a clock. This overrides any time zone set that may have been

assigned to individual employees.

You can create any number of time zones for a clock. Each time zone consists of an id number, a

description, and start & end times for each day of the week. The end time can be smaller than the start

time (ie implying that the time zone stretches across midnight.)

To disable time zones completely on a clock set the overridetimezone to -1.

The error that will appear on the clock display, if the employee is outside his time zone, is Out of Time

Zone. A clocking, type 51, will be created to log the attempt.

Programmers Note:

Tables:

Timezoneset

Contains the id, description for a specific time zone set.

Timezone

Contains the times when clocking is allowed. Also contains a link to the


12

Timezoneset table.

Daughter

Has settings for defaulttimezone, overridetimezone and timezoneoninonly.

Empaccess

Links an employee, clock, and timezone set. The default setting for an

employee has serial set to zero. If no records for a specific employee/clock

exist then the employee default will apply. If no records for the employee

exist, then the clock default will apply. Multiple records for an employee/clock

combination are allowed.

Tip: If multiple records exist for the employee/clock combination,

because multiple time zones are in effect, then they should all have

their Access field set to the same value (either 1 for access, or 0 for no

access)

11. Locked Mode

To activate Locked mode for a clock;

1. Turn on the global setting called Locked

There are times when the clock needs to be “off” with regard to people clocking. During these times

employees cannot clock IN, and the clock will not trigger any of the doors or turnstiles to open.

(Employees can clock OUT, and the doors will work for people clocking OUT.)

This mode is useful if the office is closed (for example for the annual holidays).

Administrators (not Supervisors) can Lock and Unlock the clock using the Administrator menu (#9).

The error that will appear on the clock display, if the clock is locked, and the employee is attempting to

clock in is Clock Locked. A clocking, type 53, will be created to log the attempt.

Programmers Note:

Tables:

Daughter


13

Has setting called locked.

12. Errors

If an employee attempts to clock, but fails because of one of the restrictions above, then one of the

following errors will be displayed on the screen.

Error For more information see section

Already in TO area Anti-passback

Not in FROM area Pathing

Clock Not Authorized Access Rights

Out of Time Zone Time Zones

Clock Locked Locked Mode

13. Adding a reader to a clock

When adding a reader to a clock you need to set the following settings for the reader in the daughter

table;

Setting Possible Values

TD 0=Leave employee’s payroll status unchanged.

1= Set employee’s payroll status to IN.

2= Set employee’s payroll status to OUT.

3=Toggle employee’s payroll status.

AE: 0=Leave employee’s area status unchanged.

1=Employee is moving to area set in IN setting.

2=Employee is moving to area set in OUT setting.

3=Employee is moving to area which he is not currently in (or if neither, then


14

the area is set in IN).

4=Employee is moving to area specified in IN or OUT, depending on TD rule.

IN The area number designating the IN area.

OUT The area number designating the OUT area.

CA 0=No area restrictions

1=Employee cannot already be there. ie if going IN then cannot already be in

the IN area, if going out then cannot already be in the OUT area. (Anti-

passback)

2=Employee must already be here. Ie If going IN then their current area must

be the OUT area, if they’re going OUT then their current area must be the IN

area. (Pathing)

PA 0=No Restrictions

1=The employee’s payroll status must already be IN.

2=The employee’s payroll status must already be OUT.

DA 0=Do not display the area name of the area the employee is moving into.

1= On the screen, display the name of the area the employee is moving into.

INRB Set this to an appropriate number to trigger the relays that must pulse when

the employee successfully uses this reader, and their PAYROLL status is

changing to IN. (See the relay settings table below.)

OUTRB Set this to an appropriate number to trigger the relays that must pulse when

the employee successfully uses this reader, and their PAYROLL status is

changing to IN. (See the relay settings table below.)

INARB Set this to an appropriate number to trigger the relays that must pulse when

the employee successfully uses this reader, and their ACCESS status is

changing to the area designated in IN. This setting has preference over the

INRB and OURB settings. (See the relay settings table below.)

OUTARB Set this to an appropriate number to trigger the relays that must pulse when

the employee successfully uses this reader, and their ACCESS status is

changing to the area designated in OUT. This setting has preference over the


15

INRB and OURB settings. (See the relay settings table below.)

14. Relay Settings Table

There are up to 3 relays in a CS TimeClock. There is also an internal buzzer which triggered as a relay.

Each relay has a value:

Relay Name Value

Relay 1 1

Relay 2 2

Relay3 4

Buzzer 128

The appropriate relay setting is determined by adding the values together of the relays that are desired.

Example;

1. Trigger Relay 1 by itself. Appropriate setting = 1.

2. Trigger Relay 1, and Relay 2 together. Appropriate setting = 1+2=3.

3. Trigger Relay 2, and Relay 3 together. Appropriate setting = 2+4=6.

4. Trigger Relay 3 and the Buzzer together. Appropriate setting = 4+128=132.

5. Trigger all Relays, and Buzzer. Appropriate setting =1+2+4+128=135.

15. Tables

Tables in the database used wholly or partly by the Access Control features are;

Table Description

Area Contains the id, and description of all the areas defined by the user.

Area 0 (Outside) and Area 1 (Inside) are created by default.

Daughter Settings for each clock, and for each reader are contained in this table.


16

Empaccess Contains 0, 1 or more records for each employee, for each clock. Determines

whether an employee can use a clock, and during what times the clock can

be used.

TimeZoneSet Contains an ID. This ID is the one assigned to employees and clocks.

Employees allocated to this time zone set, can use the clock(s) only during

the periods of the day defined in the TimeZone records that belong to this

set.

TimeZone Can be one or more records per TimeZoneSet. Contains a start and end time

for each day of the week.

Document version history

Version 1.2. 1. Minor correction: Time zones can be disabled by setting the overridetimezone field in the

daughter table to -1.

Documents

CS TimeClock Access Control Specification TimeClock Access Control... · CS TimeClock Access Control Specification 4 4. ... Once you have your diagram, ... employee. However the payroll